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Abstract. We show that the model-checking problem is decidable for a frag- 
ment of the epistemic /i-calculus with imperfect infomation and perfect recall. 
The fragment allows free variables within the scope of epistemic modalities in a 
restricted form that avoids constructing formulas embodying any form of com- 
mon knowledge. Our calculus subsumes known decidable fragments of epistemic 
CTL/LTL, may express winning strategies in two-player games with one player 
having imperfect information and non-observable objectives, and, with a suitable 
encoding, decidable instances of the model-checking problem for ATLm can 
be encoded as instances of the model-checking problem for the /^-calculus of 
knowledge. 



1 Introduction 

The /i-calculus of knowledge is an enrichment of the /i-calculus on trees with individ- 
ual epistemic modalities Ka (and its dual, denoted Pa). It is designed with the aim that, 
like the classical modal /i-calculus, it would subsume most combinations of temporal 
and epistemic logics. The /i-calculus of knowledge is more expressive than linear or 
branching temporal epistemic logics [12,20], propositional dynamic epistemic logics 
[21], or the alternating epistemic /i-calculus [4]. On the other hand, some gaps in its 
expressive power seem to exist, as witnessed by recent observations in [4] showing that 
formulas like {{a))piUp2 are not expressible in the fixpoint version of ATL. This ex- 
pressivity gap can be reproduced in the /i-calculus of knowledge, though the /i-calculus 
of knowledge is richer than the alternating /i-calculus. 

A rather straightforward fragment of the epistemic /i-calculus which has a decid- 
able model-checking problem is the one in which knowledge modalities apply only 
to closed formulas, that is, formulas in which all second-order variables are bound by 
some fixpoint operator. The decidability of this fragment follows from recent results on 
the decidability of the emptiness problem for two player games with one player having 
incomplete information and with non-observable winning conditions [6]. 

However more expressive fragments having a decidable model -checking problem 
seem to exist. For example, winning strategies in two-player games with imperfect in- 
formation can be encoded as fixpoint formulas in the /i-calculus of knowledge, but 
not in the above-mentioned restricted fragment. The same holds for some formulas in 



ATL with imperfect informatioii and perfect recall (ATLm) [19, 3]: the ATL formula 
((a)) □ p can be expressed in a modal /U-calculus of knowledge as i^Z. \/ Ka(p a 

a^Acta 

/\ [a,l3]Zy And there are variants of ATLm for which the model-checking 

0€ActAg^{a} 

problem is decidable [7]. Note that a translation of each instance of the model-checking 
problem for ATL into instances of the model-checking problems for the /i-calculus of 
knowledge is also possible but requires the modification of the models, as suggested on 
page 8 below. 

Our aim in this paper is to identify such a larger fragment of the epistemic /u-calculus 
for which model-checking is decidable. The fragment we propose here allows an epis- 
temic modality Ka to be applied to a non-closed /x-calculus formula (j), but in such 
a way that avoids expressing properties that construct any variant of common knowl- 
edge for two or more agents. Roughly, the technical restriction is the following: two 
epistemic operators, referring to the knowledge of two different agents a and b, can be 
applied to non-closed parts of a formula only if the two agents have compatible obser- 
vations (in the sense that the observability relation of one of the agents is a refinement 
of the observabihty relation of the other agent). The variant presented here relies on a 
concrete semantics, in the sense of [9], with the observabihty relation for each agent a 
being syntactically identified by a subset Ua of atomic propositions. We require this in 
order to syntactically define our fragment of /x-calculus of knowledge with a decidable 
model-checking problem: the compatibility of two observability relations ~a and ~b is 
specified at the syntactic level by imposing that either Ua £ U}, or vice- versa. 

The epistemic /i-calculus with perfect recall has a history -based semantics: for each 
finite transition system T, the formulas of the epistemic /x-calculus must be interpreted 
over the tree unfolding of T. This makes it closer with the tree interpretations of the 
/i-calculus from [10]. For the classical /:<-calculus, there are two ways of proving that 
the satisfiabihty and the model-checking problem for the tree interpretation of the logic 
is decidable: either by providing translations to parity games, or by means of a Finite 
Model Theorem which ensures that a formula has a tree interpretation iff it has a state- 
based interpretation over a finite transition system (this is known to be equivalent with 
memoryless determinacy for parity games, see e.g. [5]). 

The generalization of the automata approach does not seem to be possible for epis- 
temic /i-calculus, mainly due to the absence of an appropriate generalization of tree 
automata equivalent with the /x-calculus of knowledge. So we take the approach of pro- 
viding a generahzation of the Finite Model Theorem for our fragment of the epistemic 
/i-calculus. This result says roughly that the tree interpretation of a formula over the tree 
unfolding of a given finite transition system T which contains the epistemic operators 
Ka or Pa is exactly the "tree unfolding" of the finitary interpretation of the formula in 
a second transition system T', which is obtained by determinizing the projection of T 
onto the observations of agent a, a construction that is common for decidable fragments 
of temporal epistemic logics. Our contribution consists in showing that this construc- 
tion can be applied for the appropriate fragment of the /i-calculus of knowledge. The 
proof is given in terms of commutative diagramms between predicate transformers that 
are the interpretations of non-closed formulas. 



The model checking problem for the decidable fragment of the epistemic /u-calculus 
is non-elementary hard due to the non-elementary hardness of the model-checking prob- 
lem for the linear temporal logic of knowledge [22] . In the fuU version of this paper [?], 
we provide a self-contained proof of this result, by a reduction of the emptiness problem 
for star-free regular expressions. 

The rest of the paper is divided as follows: in the next section we recall the predicate 
transformer semantics of the /x-calculus and adapt it to our epistemic extension, both 
for the tree interpretation and the finitary interpretation. We then give our weak variant 
of the Finite Model Theorem for the classical /i-calculus in the third section. The fourth 
section serves for introducing our fragment of the epistemic /U-calculus and for proving 
the decidabiUty of its model-checking problem. We end with a section with conclusions 
and connments. 

2 Preliminaries 

We start by fixing a series of notions and notations used in the rest of the paper. 

A* denotes the set of words over A. The length of a e A*, is denoted \a\ and the 
prefix of a up to position i is denoted a[l..?']. Hence, a[1..0] = e is the empty word. 
The (strict) prefix ordering on A* is denoted < (<). 

Given a set A and an integer n e N, an A-tree of outdegree < n is a partial function 
t : [1 . . . n]* A whose support, denoted supp(t), is a prefix-closed subset of the finite 
sequences of integers in [1 ... n]. A node of t is an element of its support. A path in t is 
a pair {x, p) consisting of a node x and the sequence of t-labels of all the nodes which 
are prefixes of x, p = {t{x[l . . . 

A multi-agent system (MAS, for short) is a tuple M = [Q,Ag,d,qo,n, {na)a€Ag,'^) 
with Ag being the set of agents, Q the set of states, qo the initial state of the system, 
6 £ Q X Q, n the set of atomic propositions, tt : Q -> 2^ and for all a e Ag, Ua £ 11. 
A run in the structure M from a state go is an infinite sequence of states p = goQife-- 
such that {qi,qi+i) 6 6 for all i > 0. The set of finite runs in M is denoted Runs(M). 
Throughout this paper we consider only finite systems, with Q = {1, . . . , n} and qo = 1, 
and we assume that Q contains only reachable states. 

The 2^-tree representing the unfolding of a MAS M, denoted tm, is defined by 
supp(tM) = {x € N* I la; 6 Runs(Af)} andtM(a^) = For any two positions 

x,y € supp(fM) with \x\ = \y\, we denote a; ~a y if for any n < \x\ we have that 

Tr{t{x[l..n])) n i7„ = 7r(t(y[l..n])) n 77^ 
Henceforth, for a word w€(2^)*,byu'| we denote the sequence defined by w I [i] = 
w[i] n Ua for each 1 < i < \w\. Note also that the relation both a relation on 

the nodes of the tree tM and on the runs of M. 

Predicate transformers: Given a set A, an A-transformer is a mapping / : (2'^)" 
2^. 

Following the Knaster-Tarski theorem, any monotone A-transformer / : 2"* ^ 2"* 
has a unique least and greatest fixpoint, denoted Ifp^, resp. gfp/. 

For an A-transformer / : (2"^)" 2^^, a tuple of sets Bi,. . . ,Bn £ A and some 
A; < n we denote fk{Bi,... ,Bk-\,-,Bk+\,. . . ,S„) : 2^ 2^ the A-transformer with 



fk{Bi,- ■ ■ , Bk-i,-,Bk+i, . . . , Bn){B) = /(-Bi, . . . ,Bk-i,B^ -Bfe+i, • • • , -Bn) 
Note that when / is monotone, fk(Bi, . . . ,Bk-i,-,Bk+i, . . . ,Bn) is monotone too. 
Hence, both lfp/,(B,,...,B,_,,,B,,,,...,B„) and gfp/,(Bi,...,B,_i,,B,,i,...,B„) exist. These 
fixpoints can also be seen as the following ^-transformers: Ifpj : (2"^)" 2^ and 
gfpj : (2^)" ->■ 2^, defined respectively as: 

lfP/(Si, . . . , S„) = lfp/,,(i3i,...,B,,_i,.,i3fc_n,...,i3„) 
gfp)(Bl, . . . , S„) = gfp/,(B,,...,i5,_,,,B,,i,...,B„) 

Note that both these A-transformers are constant in their fc-th argument. It is also 
known that both these ^-transformers are monotone if / is monotone. 

3 The /z-calculus of Knowledge 

Syntax: The syntax of the //-calculus of knowledge (in positive form) is based on 
the following sets of symbols: a finite set of agents Ag, a family of finite sets of 
atomic propositions {na)a^Ag (no restrictions apply on the pairwise intersections be- 
tween these sets), with 77 = Uae/ig and a finite set of second-order variables 
Z = {Zi,. . . ,Zk}. The set 11 a represents the set of atoms whose value is observable 
by agent a at each instant (in the sense to be developed further). 
The grammar for the formulas of the /U-calculus of knowledge is: 

if ::= p\ \ Z \ (p A ip \ (p V If \ AXip I EX(p \ Ka4> \ Paff* I I^Z.ip \ vZ.ip 
where p & JJ, a e Ag and Z € Z. Formulas of the type Ka4> are read as agent a knows 
that (j) holds. The dual of Ka, denoted Pa, (and definable as Pa(t> = ^Ka^(t> if negation 
were allowed), reads as agent a considers that (f) is possible. As usual, for a subset of 
agents Aq Agwc may denote Ea the "everybody knows" operator, Ea4> = AoeA Ka4>. 

The fragment of the /^-calculus of knowledge which does not involve the knowledge 
operator Ka (or its dual) is called here the plain fi-calculus, or simply the /i-calculus, 
when there's no risk of confusion. As usual, we say that a formula </> is closed if each 
variable Zmcj) occurs in the scope of a fixpoint operator for Z. 

We will also briefly consider in this paper the modal fi-calculus of knowledge, for 
the sake of comparison with other combinations of temporal and epistemic logics. It has 
almost the same grammar, but with the nexttime operators EX and AX replaced with 
modal nexttime operators {a), resp. [a] with a representing a tuple of action symbols 
ci = iaa)aiAg- Note that the modal /^-calculus of knowledge can be translated to the 
non-modal /x-calculus of knowledge by converting each action name a e Acta into an 
atomic proposition, so the main results of this paper generalize easily to this calculus. 

We give two semantics of the /u-calculus of knowledge: a tree semantics and a fini- 
tary semantics. The tree semantics is required because we assume that agents have 
perfect recall, and hence they remember all observations made since the system started. 
The second is necessary for the decision problem. The equivalence between the two 
semantics on trees generated by MASs, which gives the decidability of the model- 
checking problem, is a weak form of memoryless determinacy for tree automata. We 
present here both semantics of the /x-calculus of knowledge in a predicate-transformer 
flavor, more appropriate for stating a number of properties of the logic. 



The tree semantics of the /x-calculus of knowledge is given in terms of 2^^-^ -trees. For 
a given tree t, each formula (t> which contains variables Zi, Zn is associated with a 
supp(t)-transformer \\4>\\ : (2^''pp('))" ^ 2^''pp(') by structural induction, as follows: 

- The two atoms p and -.p are interpreted as constant supp(i)-transformers \\p\\ : 
(2="PP(*))" ^ 2="PP(*) and |hp|| : (2="pp(*))" ^ 2="pp(*), defined by the sets ||p|| = 
{x € supp{t) I p £ TT{t{x))}, resp. = {x e supp{t) \ p ^ 7r(t(a;))}. 

- Each variable Zj € Z is interpreted as the i-th projection on ^2^"^^'^*)) , that is, 

as the supp(t)-transformer \\Z,\\ : (2^'^pp(*))" ^ 2="pp(*) with \\Z4{Si, . . . ,Sn) = 
5,,V5i,...,S'„ £supp(t). 

- 1101 V </.2|| = II 01 II u II02II and 1101 A 02 II = II 01 II n ||02||. 

- Each of the two nexttime operators is mapped to a supp(t)-transformer, denoted 
AX, resp. EX : 2="pp(*> ^ 2^''pp(*), defined as follows: for each S £ supp(t), 

AX{S) = {x e supp(t) I Vi £ N if xi € supp(t) then xi £ 5*} 

EX{S) = {x £ supp(t) I 3i £ N with xi £ supp(t) and xi £ S} 
Then ||AX0|| = AX o ||0||, and \\EX(j)\\ = EX o ||0||. 

- Each pair of epistemic operators is mapped to supp(f) -transformers Ka, resp. Pa ■ 
2="pp(*) ^ 2="PP(*), defined as follows: for each 5* £ supp(i), 

I^a(S) = {x e supp(t) I Vy 6 supp(t) with x ~aV we have y ^ S} 

Pa{S) = {x e supp(i) I 3y £ supp(t) with x ~ay and y ^ S} 
Then ||i^„0|| = Ka o |0| and ||P„0|| = Pa o ||0||. 

- For the fixpoint operators we put \iiZi.(j)\ = lfp||0|| and \vZi.(j)\ =gfp||^||. 

Note that the two supp(t)-transformers Ka and Pa are dual and we have that Ka{S) = 
Pa{S), with ■ denoting the set complementation. We also denote t\= 4) ijfe £ ||0||. 

The following property says that the /x-calculus of knowledge cannot distinguish 
between isomorphic trees: 

Proposition 1. For any two MASs Mi and M2for which there exists some tree isomor- 
phism X : 2''"PP(*^fi) 2''"''P(''*^2), and for any ji-calculus of knowledge formula 0, 
the following diagram commutes: 



^2supp(ii)^» 11*^11 Ml 2supp(t2) 



^2supp(t2)^" 11*^11^2 2^"Mt-i) 
Proof. By straightforward structural mduction on the formula 0. 

Let5i,...,5„ c2™ff(*^).Wehavetoprovethatx(||0||Mi(5i,...,5„)) = ||0||M.(x(5i),...,x(^n)). 
1 . For (p = p-we have that 

x(II'?^'IImi('S'i,...,S'„)) =x({a^6*Mi |0eiMi(a;)}) 
= {x{x) I X £ iMi,0 e tMi{x)} 

= {y € I 3x £ with 6 tjvfi ix)s.t.xix) = y} since x is a bijection 

= {y^tM2 \<P^tM2{y)} 

= mM2ix(Sl),...,x(Sn)) 

The proof is similar for = ->p. 



X (1) 



For (l) = Zi€Z, UWmASi, -S„) = S^. Then, 



xmMASu...,Sn)) = x{Si) = U\\MAx{Sr),...,x{Sn)). 



For = 01 V (j)2, we have = ||(^i|| u ||^!>2||. By assuming that the property holds 
for </>! and (j)2, we get 



x(||.^||mi(5i,...,5„))=x(||</'i||mi(Si,...,5„)u||</.2||m,(5i,...,5„)) 

= X( 11-^1 l|M,(5l,...,5„))ux(||.^2||Mi(5l,...,5n)) 

= II</'i||m.(x(5i),...,x(5„))u||,^2||m.(x(5i),...,x(5„)) 

= ||<^lV</>2||M.(x(^l),-,X(5n)). 



We similar proof can be given for </) = A 02- 

For = II 011 = AX o II 01 II . We have that 



x(||AX0i||m,(5i,...,5„))=x(^^(II0i||m,(5i,...,5„))) 

= {x{x) I a; e supp(tMi) and Vi 6 N, if xi 6 supp(tMi) 

thenfMi(a;i) e ||0i||mi(5'i,...,5„)} 
= {y I X'^(y) esupp(tMi) and Vj 6N, if x"^(2/)x'^0) « supp(fMi), 

thentMi(x~^(2/)x~^(j)) ^ ||0i ||mi (-Si, -S^)} since x is bijective 
= {y I y € supp(tM2 ) and e N, if yj e suppC^Ms) 

then tM2{yj) ex(ll'/'illMi(S'i,-,5'„))} 
= {y€ supp(iM2) I Vj € N if yj e supp(tM2) 

thentM2iyj) 6 \\MM2ix{Si), ...,x{S„))} 
= AX(\\MM2(x(S,),...,xiSn))) 

= AXo||0i||M2(x(^l),-,X(5n)) 
= ||AX0i||M2(x(^l),-,X(^n))- 



The proof is similar for = EX (pi. 



5. For cf) = Ka(j)i, II0II =i^a° 1101 1|. Then, 

XimMASl,:;Sn))=x{Ka{Ul\\MASl,:;Sn))) 

= xi{x e supp(iMi) I Vy € supp(tMi) with a; 2/ 

wehave 2/ e ||(^i||mi('S'i,...,S'„)}) 
= ixix) e supp(iM2) I s e supp(tMi and Vy e supp(iMi with x-aV 

we have 2/ € ||(/)i||mi(S'i, ...,5'„)} 

= {x' e supp(tM2) I Vx^Hy') e supp(fAfi with x~\x') x"Hy') 
wehavex"^(y') e ||0i ||mi (5*1, S'™)} 

= {a;' € supp(tM2) I Vj/' e supp(tM2 ) with x' y' 
we have y' € x(||0i1|mi(5'i,...,5„))} 

= Ka(x(\\MMASl,...,Sn))) 

= K,i\\MMAx(Sl),..;X(Sn))) 

= Kao\\MMAxiSl),...,x{Sn)) 
= ll0l|M2(x(^l),-,X(5n)). 

A similar proof can be given for (f) = Pa4>i. 

6. For = ^Zi.(f)i, \\(p\\ = Ifp^^i- Hence, 

X(||<^||m,(5i, Sr.)) = x(lfpi0|U, (^1, ^n)) 
= X(lfP|l,^i||i jvf^ {Si, Si-1,-, Si+1, Sn)) 

= x(niin{5 | \\(f)i ||i,Mi {Si, 5*4-1, S', 5^+1, S*™) = 5}) 

= {minxC^) I S s.t. ||?iii||i,Mi(5'i, Si-i, S, Si+i, Sn) = 5} 

X is monotonous 

= min {x{S) I x(||<^i IkMi Si.i,S, Sm , 5„)) = x{S)} 

= lfPx(ll<^ilU.Mi(Si,...,s,_i,,s,,i,...,s„)) inductive step 

= 'fP||<?ii|U.M2(x(Si),...,x(Si-i),-,x(Si+i),...,x(S„)) 
= lfpk||M2(x(5l)>->X(5n)) 

= II'^IIm2(x(5i),-,x(5„)). 

The proof is similar for (p = vZi.(j)i. 

3.1 Comparison with other temporal epistemic frameworks 

We discuss the relationship between the /i-calculus of knowledge and other temporal 
epistemic logics or game models with imperfect information and perfect recall. 

As already noted e.g. in [20], the following fixpoint formula defines the connmon 
knowledge operator for two agents: Ca.b(f' = i^Z.{(p a KaZ a Ki,Z). 

On the other hand, it's easy to see that the (modal variant of the) /u-calculus of 
knowledge is more expressive than the altemating epistemic /i-calculus of [4], due to 



the possibility to insert knowledge operators "in between" the quantifiers that occur in 
the semantics of the coalition operators. The relationship with ATLm is more involved, 
as we detail in the sequel. 

Given a set of agents A £ Ag, denote Act a the cartesian product of the set of action 
symbols for each agent in A, Act a = XoeA Acta- Then, formulas of the type ((A)) □ p 
can be expressed as the fixpoint formula \/ ^^(pA f\ [a,l3]Zy 

a€Acta 0€ActAg\{a} 

Formulas containing the until operator cannot be translated into the /i-calculus of 
knowledge. The reason is similar to the one explained in [4]: in formulas of the type 
((a)) O p the objective p might not be observable by the agent a, who might only be 
able to know that, at some given time instance, sometimes in the past, the objective was 
achieved on all identically observable traces. 

Given an ATLm formula (p = ((a))piZ^P2 where pi and p^ are atomic proposition, a 
MAS M and a finite run p in M, the instance of the model-checking problem M, p\= (j) 
can be translated to an instance of the model-checking problem in the modal /x-calculus 
of knowledge of the following formula: 

liZ. V Ka[p2ypastp^y{piA /\ [a,^]Z)) 

and the modified system M', in which are created some copies of the successors of 
the states s labelled with the atomic proposition p2 and the corresponding paths. The 
copies are labelled with the existing atomic propositions in the successor of s to which 
is added the new atomic proposition pastp^ . It will label all the states occurring after 
state s carrying a p2. This mechanism is similar with the "bookkeeping" employed in 
the two-player games utilized in [7] for checking whether the same formula cp holds at 
a state of a MAS. 

The formalisation of the modification of M is given below: For any multi-agent 

system M = {Q,Ag,5,qo,n,{na) aeAg,T^, {Acta)aeAg), wc computc the multi-agcnt 
system M' such that M' = {Q',Ag,6',q'o,n,{na)a^Ag,'n-',{Act'Ja<,Ag) with Q' = 
Q X {0,1}, q'o = (go,0), 7r'(g,0) = 7r(g), ir'(q,l) = 7r(g) u {pastpj, Act'^ = Acta x 

{0,1}, Va 6 Ag and the transition relation defined as: For any transition q ^ r 
where a 6 Acta and /3 = /3i, /3„ with /3j e ActAg^ia}' in we have: 

, ((«,0),/3) 

- (9,0) ^ (r,0) 

- (q, 1) ^ (r, 1), X e {0, 1} 

- [q, 0) > (r, 1) if p e TT{q) 

_ (g,0) ir,0)ifpiniq) 

Given a run p = qo — qi ... we denote qi by p[i], i = 0, \p\ and a^+i by 
act{p, i), i = 0, ...,\p\ - 1. We redefine the tree unfolding for the multi player games as 
being a partial mapping tn = (^m''', ^m^^") with t^*^^ : N - Q , f^^f^ix) = Tr{x[\x\]) 
and t^®*^ : N ^ Ua^AgActa, t^j^^^{xi) - a if X ^ xi where a = (Qi,...,Q:fe) 6 
IlaeAgActa- lu this casc, wc say that two runs p and p' are indistinguishable (obser- 
vationally equivalent) to a coalition A (and note p ~^ p') if \p\ = \p'\, act(p, i) |^ = 
act{p' for all i < \p\, and 7rA(p[«]) = 7rA(p'[i]) for all i < 



We define a strategy, as it is defined in [7], a for a coalition A as any mapping 
fj : (2^^) Ad A- A strategy a is compatible with a run p = qo gi ... if 
cr(7ryt(/3[0])...7r^ (/?[«])) = a^+i |^ for all i < \p\. If cr is compatible with a run p, then it 
is compatible with any run that is indistinguishable from p to A. 

We also use [a]p to express the fact that for all the successors xi of x for which 
tu'^^xi) = a we have thatp e TT{qf ''{:n)). 

In order to prove the equivalence between the two problems, we prove that for any 
system M and any ATLm formula (j) = <la}piUp2, there exists a system M' as defined 

below and a formula (p' = fiZ. MaiAcu Ka{p2\^ pastp^ v (pi a A/j^ActAgyM ^]^)) 
such that for any run p in M and any run p in M' for which the projection in M is />, 
M, p 1= (/) if and only if M' , p t= 0'. 

This construction can be extended to the whole ATL by structural induction on the 
formula. 

Multi-player games with incomplete information can also be translated into the p- 
calculus of knowledge. Recall briefly that a (synchronous) two-player game is a tuple 

G = ^Q,Ag,{Acta)aeAg,S,Qo,{Obs {oa)a^Ag,par^ with Q denoting the set 

of states, A(? = { A, B} the set of players, 5 £ Q x XoeAg ^cta ^ Q denoting the transition 
relation, Oa-Q^ Obsa denoting the observabiUty relation for player a and par : Q 
N defining the parity of each state. 

A player a e Ag plays by choosing a feasible strategy, which is a mapping a : 
(ObSa)* Acta- A Strategy for a is winning when all the runs that are compatible with 
that strategy satisfy the property: the maximal parity of a state which occurs infinitely 
often in the run is even. The winning condition might be non-observable to a, as it might 
happen that two identically observable states qi,q2 e Q might have different parities. 

The set of winning strategies for a player in a multi-player game with imperfect 
information is then expressible within the /i-calculus of knowledge, similarly to the 
known encoding of the set of winning strategies in a parity game into the /^-calculus 
from e.g. [10, 18]. Assuming that the largest parity in Q is even and the atomic propo- 
sition Pi holds exactly in all states with parity i, the following /^-calculus of knowledge 
formula encodes the winning strategies for player a: 

uZnpZn-i...pZi. \J Ka\J{p^^ A [a,fi]Zi) 
3.2 The model-checking problem 

The model-checking problem for the p-calculus of knowledge is the problem of decid- 
ing, given a MAS M and a closed formula (p, whether tu ^ <f>- 

The undecidability of the model-checking problem for combinations of temporal 
and epistemic logics based on a synchronous and perfect recall semantics and contain- 
ing the common knowledge operator [22, 21] implies the following result. 

Theorem 1. The model-checking problem for the p-calculus of knowledge is undecid- 
able. 



The next two sections are dedicated to finding a fragment of the /i-calculus of 
knowledge with a decidable model-checking problem. 



4 Revisiting the Decidability of the Model-checking Problem for 
the Tree Semantics of the plain /x-calculus 

Given a multi-agent system M = {Q, Ag, S, qo, U, (TTo)^^^!^, tt), and an agent a € Ag, 
we may define the relation £ Q x Q as follows: {q,r) € if for any run p in M 
ending in q (i.e. p[\p\] = q) there exists a run p' ending in r with p ~o p' . Whenever the 
MAS M is understood from the context, we use the notation Fa instead of F^ . 

We now define a second semantics for the /x-calculus of knowledge, which works 
on the set of states of a MAS M. Each formula (j) which contains variables Z\,...,Zn 
is associated with a Q-transformer \^ : (2*3) 2'3, again by structural induction: 

- \-p\ resp. [-.p] are the constant Q-transformers \'p\ - {_q ^ Q \ V ^ "'(Q')}' resp. 

\^v \ = {i^Q\viA(i))- 

- \Zi] : (2'^)" 2'5 is the z-th projection, i.e., given 5*1,. . .,Sn£Q, \Zi]{Si,.. .,Sn) = 
Si. 

- V (1)2] = u [02l, and [(/-i a (/.2I = n [^a]. 

- Both nexttime modalities are associated with Q-transformers AX^ ,EX-f : 2"^ 
2'3 defined as: 

(5) = {g 6 Q I Vr € Q if (q,r) € 5 then r 6 5} 
£;X/ (S*) = {g € Q I 3r € Q with {q,r) 6 ^ and r 6 5} 

Then \AX(j}] = AX^ o [0] and, similarly, \EX(j)] = o [,/)], 

- Both epistemic operators are associated with Q-transformers Kl,P^ : 2"^ 2"^ 
defined as: 

K[{S) = Fa(S) ={g e g I Vs € Q, if (s, € Fa then s e S} 
PiiS) = Fa{S) ={qeQ\3seS s.t. (s,q) € 

Then \Pa0] = Pi o [(A] and \Ka<l>] = Rf o [,^]. 

- = Ifpf^i and \vZ,.(j)] = gfpf^^. 

The following result represents a variant of the Finite Model Theorem for /i^-calculus 
and is proved by structural induction on the formula (p in [?]: 

Theorem 2. Given aMAS M = (Q, Ag, 5, qo, n, {na)a^Ag,'i^) in which Q = {1, . . . , n} 
and qo = 1, and a (plain) fi-calculus formula (j), the following diagram commutes: 

(2Q)" . 2^ 

(^m)"! l^M (2) 

/r,SUpp(t)\" 11^1 9SUpp(t) 



We also say that the diagram 2 holds (or commutes) for the formula (j) in the system M. 

Proof. We proceed by structural induction on the formula 0. Note first that the diagram 
2 holds for the base cases: 

iM(bl) = lbll t-^{hp\) = hp\\ 

tl]{\Z^i]{Si,. . . , = \\Z,\\{Si,. . . , Sn) for all Sj £Q,l<j<n. 

The induction step relies on two groups of properties: on one side, the commutativ- 
ity of t]} with finite unions/intersections, and two commutativity diagrams relating 
with the mappings AX/AX^, resp. EX/EX f. The second group of properties is rep- 
resented by two characterizations for the restrictions of IfpJ^i and gfpj^i on fM-regular 
sets of nodes of tM- 

The first group of properties is sunmiarized in the following identities: 

1 . For any two sets 81,82 E Q, 

t-^i8iu82)-t-^i8i)ut-^{82) 
t-^i8in82)-t-^i8i)nt-^{82) 

2. For any set 8 qQ, 

t-^{AXf{S)) = AX{t-^{S)) 
t]^{EXf{S)) = EX{t,}{S)) 

The following property is essential for the induction step involving the fixpoint op- 
erators: 

Claim. Suppose is a ^-calculus formula for which the conmiutative diagram 2 holds. 
Given S' 6 (2'^) with 8 = {81,..., 8n) and an index i<n, denote ^ the function 

0i_ . 2Supp(tM) _^ 2^"PP(*Af) 

4(T) = U\\(t]^(8,),...,t-^(8i.^),T,t-^{8i,^),...,t-^i8r,)) (3) 
Also denote [01-] the function \4)L] : 2*5 ^ 2*3 with 

\4>y\iR) = m8u...,8i-i,R,8M,...,8n) 
Then Ifp^^ = t'^Ofp^^y^) and gfp^^ = fj^ig^p^^^^)). 

Proof. We may prove by induction on j e N that 

(4^yi0)=t-^mvi0)) (4) 

where the first empty set is an element of 2^"pp(*") whereas the second is an element of 
2Q_ 



The base case is straightforward, since, for j = 0, Identity 4 reduces to = t^(0). 
For the induction step we may use the induction hypothesis about the commutative 
diagram 2 (appUed for producing the third identity below) to conclude that: 

(<^r'(0) = (<^)((4)'(0)) 
= (4)(*M(f4V(0))) 

= ||.^||(i]^(5i),...,t]^(5,_i),i]^([4V(0)),i^(5i^i),...,t]^(5„)) 
= ( [01 (5i , . . . , , [.^V (0) , , . . . , 

We then need to prove that I [(^L]J (0) J is an increasing sequence of subsets 

^ S ' j>Q 

of Q. To that end, we will prove that [(/>!](•) is monotonously increasing in both ar- 
guments. That is, \4>^]iS') £ [01 1(5"') for all S' £ S" 6 2^ and for all 5i = 

-3 1 -3 2 

(S'ii,S'i2,...,5i„) andS'2 = (6'2i,522,...,S'2„) with S'u £ ^2^ for all 1 < fc < n. This 
can be proved by induction on the structure of as follows: 

1. For (f) = poT (j) = -ip, the property holds since in this case [0] is constant. 

2. For (f) = Zr, [01 is the r-th projection. If r = i, then [0L ](S") = 5' £ S" = 

[0|J(5"). Otherwise, [0|J(5') = Sir £ S2r = [0|J(5").' 

3. Fbr0 = 0iv02,[01 = [0ilu[02l.Since[0^](5') = [0](5i,...,5,_i,5',5,+i,...,5„), 
assuming that the property holds for 0i and 02, [0^ ^ 1(5") £ [0* ^ K'S"') and 
[0^_^J(5') £ [0;_^J(5"). Hence, [0;_^J(5') u [0{^J(5') £ [i{^J(5") u 

[0^2^^J(^") and therefore [0|J(S') £ [0ij (5"). 
For = 01 A 02 the proof is similar. 

4. For = AX01, [01 = o [0il = {qeQ\\/r eQ, if q^reS then r € [0il}. 
That is, the predecessors of nodes in [0il that have no successors outside [0il. 

It is easy to see that AXf is monotonous using the definition: given 81,82 e 

2Q 

5i £ 52, we have 

AXf (Si) = e Q I Vr e Q, if g ^ r e 5 then r 6 5i} 

and since 5i £ 52, if r e 5i, then r € 82. Hence, 

AX/(5i)£{geQ| Vreg, if g ^ r e 5 then r 6 52} = ^X/(52). 

Then, since [0* 1(5') £ [0* - 1(5"), by applying AXf which is monotonous, 
we obtain that l4X/([0;_- 1(5')) £ AXH[0;_^J(5")). That is, [^1(5') £ 
l^'L 1(5"). A similar proof can be given for (f) = EXcj)^. 



5. For (f> = Ka^i, \^]{S) = K[ o = {g € Q | Vs € Q with {s,q) € then s e 
[(/>i] (5)}. We can prove, as we did in the case of AXf, that KI is monotonous and 
applying it to ^ 1(5") £ [0^ ](S"') from the inductive hypothesis, we obtain 

that - 1(5')) c Kl{\^\l^^MS")). Thatis,f4j(5') c \4>L^]{S'). 

For (j) = Pa4>i the proof results from the duality of iff and P/, i.e., PI{S) = 

iff(^). We have that \^ ](^') £ [^^ and then \^ 5 [(^^ _ ^{S"). 

Applying to it and then computing the dual set, we have that kI {\^\-^ ] ( 5'' ) ) ^ 

1,0 1 

kU\^~Js^)). That is, P/(r<^;_^J(^')) £ ^'/(['^i^^JC^")). 

6. For = ^Zr.4'1, \(p] = Ifpf^i]- We have that 

~ '^P[0llr(S'l,l,---,S'l,r-l,-,Sl,r+l,---,Sl,i_l,S',5l,i+l,...,Sl,„)' 

From the inductive hypothesis we have that \(j>] ](S') E \4>] ^ 1(5"') and then, 

1,01 1,02 

by applying Ifp, we obtain that 
andthen[4j(5')£[4j(5'). 

We may conclude that [0^] is monotonously increasing. Now, we know that £ 

By induction, we can prove that \4^Vi0) £ [<^|-p"'H0)> > O.Hence, ([<^|-?'(0))j>o 
is an increasing sequence of subsets. 

This sequence stabihzes at a certain integer k, which is the fixpoint of f'/>^]: 

As a consequence of this and of Identity 4, the fixpoint of (p^ is reached for 

lfp^^ = iM(f4l'(0)) 

which ends the proof of Claim 4 

Returning to the proof of Theorem 2, the induction step concerning the least fixed 
point follows easily: 

lllfp^ll ° (tM)"(Sl,---,Sn) = \\\fp]p\\(t~M(Si), ...,rM(Sn)) = lfp50||(t^(Si),...,t];](S„)) 

= lfp^j^^ ^^^^=t^(lfpf^l(5i,...,5„)) 

where in the last step we utilized the claim above. A similar proof gives the commuta- 
tion property for the greatest fixpoint. □ 



5 A Fragment of the /x-calculus of Knowledge with a Decidable 
Model-Checking Problem 

In this section, we first introduce some additional notations and notions. Given a MAS 
M and two agents ai, 02 e Ag, we say that the two agents have compatible observ- 
ability if either Ila^ g 77^^ or Ila^ 3 Ila.,. 

Given a formula 0, let denote the syntactic tree of 0. We also consider that, 
in T^, each node labeled with a variable also has a successor, labeled with T. This 
convention brings the property that each node in whose formula is a variable has a 
closed subformula (which is T). 

The syntactic tree is constructed by structural induction, with 

- supp(rp) = {e},rp(e) =p, 

- supp(T^p) = {e}, r^p(e) = ^p, 

- supp(Z) = {e, 1}, Tz{e) = Z, Tz{l) = T, 

- supp(rop0j = {e} u{lx I X € supp(0i)}, Top4,i{e) = Op, Top,^i(la;) = T^^(x), 
where Op e {AX, EX, Ka,Pa,f^Z, vZ} 

- SUpp(r0iOp02) = {e} U {IX I X € SUpp((/>i)} U {2x \ X € SUpp{(j)2)}, T^iOp<t,2{f) = 

Op,T^ 

We then denote form(x) the subformula of ^ whose syntactic tree is i.e. the 
subtree of rooted at x, and say that x is closed if form{x) is closed. 

We then say that an epistemic operator Op e {Ka, Pa \ a & Ag} is non-closed at a 
node a; in a formula (f) if form(x) is not closed. Op labels a node y > a; and for all the 
nodes y' lying on the path between x and y we have that form{y') is not closed. 

For each node x € supp(T0), we also define AgNCl^{x) as being the set of agents 
o for which Ka or is non-closed at x. In addition, given two distinct nodes x\ < X2 
with X2 being closed, we say that X2 is a nearest closed successor of a;i if no other 
closed node lies on the path from xi to X2- 

Definition 1. The ji-calculus of non-mixing epistemic fixpoints is the fragment of the 
fjb-calculus of knowledge consisting of formulas (j) satisfying the following property: 

Any two agents a and bfor which there exist epistemic operators Opa 6 {Ka , Pa }. 

Opb e {Kh, Pb} such that both Op a and Oph are not closed at some node x of 
Tfj, must have compatible observability, i.e. Ua £ Hb or Lib £ Pla. 

All formulas of KBn [12, 13], that is, CTL with individual knowledge operators, 
are formulas of the /U-calculus of non-mixing epistemic fixpoints. Other examples of 
nonmixing formulas are the following (a and b are two agents such that Ila E iTb): 

^iZUp V Ka(EX.Zi) A uZ2.(q A Z^ A Ka{EXZ2))) 

hZUp^ Ka(EX.Zi) A uZ2.{q A KbiEXZ2))) 
Examples of formulas that are not in the /x-calculus of non-mixing epistemic fixpoints 
are (a and b are two agents such that Ila $ P^b and Plb $ Ha): 

Ca,b(^ = uZ.((^AKaZvKbZ) 



liZi.{p V KaiEX.Zi) A ,,Z2.{q A Zi A Kb{EXZ2))) 



Theorem 3. The model-checking problem for the ^-calculus of non-mixing epistemic 
fixpoints is decidable. 

The crux of the proof consists of proving a commutativity property relating t^} 
with the operators KJK^, resp. PJPI, similar with the properties relating fj^ with 
AXIAX^ , resp. EXIEX^ . Unfortunately, this commutativity property does not hold 
for any MAS M, as it is shown by the following example. 



(a) 




(b) 

Fig. 1. (a) A one-agent system with Ua = {pi}, (b) The unfolding of the system in Fig. 1(a) 

Example 1. Let M be the one-agent system in Fig. 1. If we put S = {1,3} then us- 
ing Figure 1 b) and the definitions if KajPa and K^/P^, we have that ^^({1,3}) = 

P/({2}) = {2,3} = {l}.Thatis, 

t]^iKliS)) = {x€siippit)\x[\x\] = l} 

Similarly, 



i^„(i^({l,3})) = P„(t^({2})) 



= {a; e supp(t) | a;[|a;|] = 2 v (a;[|a;|] = 3 a |a;| is even)} 
= {a; e supp(t) | a;[|a;|] = 1 v (a;[|a;|] = 3 a |a;| is odd)}. 

We can observe that t^{Kl(S)) contains only nodes of Im labeled with state 1, 
whereas Ka{tJ^{S) ) contains more nodes, in particular nodes labeled with 3 occurring 
on the odd levels of tM ■ 

Definition 2. Given two MASs Mi = (Qj, Ag, 6i, q^, 11, (-ffa)asAs, tTj) (i = 1,2) over 
the same set of atomic propositions, we say that Mi is an in-splitting of M2 if there 

exists a pair ofsurjective mappings x = iXst,Xtr), with Xst '■ Qi Q2, Xtr ■ Si ->■ S2 
satisfying the following properties: 

1. For each q,r €Qi, {q,r) € Si, Xtriiq,r)) = iXstiq),Xstir)) 6 

2. For each q 6 Qi, 7r2 (XstC?)) = 7i"i(5)- 



3. For each q e Qi, outdeg(xst(q')) = outdeg(g), where outdeg((j') is the number of 
transitions starting in q. 

4- Xstiql) =ql 

The in-splitting is an isomorphism whenever Xst and Xtr are bijective. 

Further, the pair x = {XstiXtr) is called an in-splitting mapping. Also, we may 
write X • -^i -^2 to denote the fact that x = iXst,Xtr) is a witness for Mi being an 
in-splitting of M2. 

Note that an in-splitting mapping (term borrowed from symbolic dynamics [15]) 
represents a surjective functional bisimulation between two transition systems. The fol- 
lowing proposition can be seen as a generalization of this remark (proof given in [?]): 

Proposition 2. Consider two MASs Mi = {Qi,Ag,Si,qQ,n,(na)a€Ag,''^i) (i = l,2j 
over the same set of atomic propositions, connected by an in-splitting mapping x = 
{Xst^Xtr) '■ Ml ->■ M2. Then for any plain jj-calculus formula (j) the following diagram 
commutes: 



^2Qi)" l^^l^i , 2Q 



{xllT 



Xst (6) 



Proof Let ^i, Sn £ 2^^ We prove hence by structural induction on the structure of 
the formula (j) that 

[0]Mi(xIt (5'i,...,S'„)) = Xst ([01m2('S'i,...,S'„)) 

1 . For (j) = pwe have 

\<P]MAXst{Si,--,Sn)) = {<?eQi \ peTTi{q)} 
X''sl{\<l>]M2{Si,...,Sn)) = XstHi^e Q2 be 71-2(9)}) 

Since ■7T2{Xstiq)) = T^iiq) and Xst is surjective, we can conclude that 

mM,(xJt(5l,-,5n)) = Xjt(MM.(5l,...,5„)) 

The proof is similar for ^ = ->p. 

2. For (j) = Zi, is the i-th projection and hence 

\<i>]Mdx:Hsi,...,Sn))=x:HSi)=x:lmMdSi,...,Sn)). 

3. For = 01 V (1)2, [(?!)] = u \(t)2]. Then, 

\<l)]MAX~sl{Sl,---,Sn)) = \<l)i]Mi{X~sl{Sl,---,Sn) U [02] Mi (Xst^ (-Si , • • • , -S^) 

= Xsti\(t>i]M2iSi,...,Sn))'JX~sti\h]M2iSi,...,Sn)) by induction 

=x:lmM2(Si,...,Sn)) 

The proof for = 0i a 02 is similar. 



4. For (j) = AX(j)i, \(t)] = AXf o 

= {g e Qi I Vr € Qi, if q ^ r e Si 

thenr e [0i]mi (Xst (^'i, S'„))} byinduction 
= {gegi I VreQi, if g ^ r e 5i then r e x;t^([0ilM2(<S'i, ^n))} 

Further, we want to prove that this set equals to 

= {x'stiq') I q' e Q2and^r' e Q2, if g' ^ r' e ^2 then r' 6 [(/)i]m.(^i, 

We prove it by double inclusion. Let first take a g in the first set. We have that 
for all r e Qi, if g ^ r e 5i thenr 6 x^ti\'P'^]M2{Si, ■■■,Sn))- From the sur- 
jectivity of Xst and xtr and properties 1) and 3) in Definition 13, there is a g' 6 
Q2 such that g € XhW) for = Xst{f) e Q2, if g' then r' € 

Xst{x~st{\^AMASi, S„))). That is, using again the surj ectivity, for all r' e Q2 , 
ifg'^r'then r' € [,^i1m, 5„). 

For the inverse inclusion, take g' € Q2 s.t. for all r' € Q2, if q' ^ r' € 62 then r' e 
[<?!'i1m2 {S\,..., Sn). Again, from the surjectivity of Xst and Xtr and properties 1) 
and 3) in the above definition we have that there exists g e Qi s.t. Xst{q) = g' 
and for any transition q' ^ r' € S2 we have transition q ^ r € 5i such that 
q' r' = Xst(g) Xstir). Since Xst is surjective and property 3) holds, if 
g' e Q2, r' 6 Q2 with q' ^ r' e 82 implies that r' e \(I)i]m2{Si, Sn), then 
there exists g € Qi, g € XstW) ^-t- for all r = Xsti^') ^ Qi' H q ^ r € 61 then r € 
Xstn['?^ilM2(5'i,...,6'„)). We can then conclude that \^]Mi{xltiSi,-,Sn)) = 
Xlt^([0]M2(5'i,---,S'„)). 

5. For = txZr.(j)i, [0] = lfP[0ii- 

Xjt'(['/']M2 ^«)) = Xjt (lfpf^,lM2 (^1' Sn)) 

= Xst^(lfPf01,,M2(S'l,...,Si-l,-,S, + l,...,S„)) 

= Xjt'(min{5| [(/.i]i,M2(5i,...,5i-i,5,Si+i,...,^„) =5}) 

since Xst is monotonous 

= min{x;t (-S*) I X^t ([0i1i,M2 (S'l, 5, Sj+i, S'n)) =xlt ('5')} 

= 'fPx;J([^ili,M2(Si,...,s,_i,.,s,,i,...,s„)) from inductive hypothesis 
= '^P[<?iili,Mi (x;J (Si,...,Si_i,-,Si+i,...,s„)) 
= lfP[^.lM,(x;t(^i'-'^")) 

= MM,(x;t(5l,-,^n)) 

Remark 4 Proposition 2 does not hold for general ^,-calculus of knowledge formulas. 

To see this, consider the system depicted in Fig. 2 (a), which is an in-splitting of the 
system from Fig. 1 (a), resulting from splitting state 3 in two states, denoted 3 and 4, 
(i.e. x(l) = 1, x(2) = 2, x(3) = x(4) = 3; with transitions (3, 4) e 5 and (4, 4) e 6. 




(b) 

Fig. 2. (a) An in-splitting of the system from Fig. 1 ; (b)The unfolding of the system from Fig. 2(a) 

Note that K I {{1,4}) = P/({2,3}) = {2,3} = {1,4} and hence, 

t-^iKfi{l,m = {x 6 supp(i) I x[\x\] = 1 V x[\x\] = 4} 
On the other hand, 

^a(i^({l,4})) = P„(t^({2,3})) 

= {a; 6 supp(i) | = 2 v = 3 v (x[|x|] = 4 a |a;| is even)} 
= {a; 6 supp(t) I x[|a;|] = 1 v (a;[|a;|] = 4 a |x| is odd)}. 

That is, tJ^iK[{S)) contains all nodes of labelled with states 1 or 4, whereas 
Ka{t~f}{S)) contains fewer nodes, in particular nodes labelled with 1 and nodes la- 
belled with 4 occurring on the odd levels oftM- 

The following notion corresponds with the "determinization" used for model-checking 
LTLK/CTLK [22, 8] or solving 2-player parity games with one player having incom- 
plete information [6]: 

Definitions. Given a MAS M = {Q,Ag,S,qo,n, {na)a&Ag,T^), we define the multi 
agent system A^J''{M) = {QP'''',Ag,5,qo,n,{IIa)aiAg,T^) as follows: 

- gP'"' = {{s,S) I s € Q, S £ {q e Q \ TTaiq) = TTais)}} andqo = {qadio})- 

- S is composed of all tuples of the form {{s,S), {r,R)) where {s,r) € 6 and R = 
{r' e Q I Ttair') = itair) and 3s' e Swith {s' ,r') e 5}. 

- 7f(s,5) =7r(5) =7r(s). 

The a-distinction of M, denoted Aa{M), is the restriction of Af"- (M) to reachable 
states, i.e., Aa{M) = (Q,Ag,6 \Q,qo,n,(na)a€Ag,T^ \q) where Q = {§ € QP""" \ 
s is reachable from go}- 



Given a run p in Runs(Z\a(M)), we denote the projection of p onto its first 
component. 

Lemma 1. Given a MAS M = (Q, Ag, S, qo, 77, (na)asAg,'^), the following two prop- 
erties hold: 

1. For each run p in Aa{M) ending in (s, S), 

S = {r gQ \ 3p' in M that ends in r with p' ~o 

2. For each two runs p, p' in Aa(M) with p ending in (s,S) e Q, ifp' ~a p, then 
there exists r & Q s.t.p' ends in(r,S). 

Proof. We prove the first property by induction on the length of the path p. It easy to 
see that property holds when p = go = (ao, {9o})- In this case, p' can be only p. 

Suppose now the property holds for any path J) in Aa{M) with \p\ = n. Let p' in 
Aa{M) with Ip'I = n + 1 that ends in {q, S). Then exists a path p" = {{qi, S'i))^^.^^ 
of length n such that p' = p" ■ {q, S) with {qn+i,Sn+i) = {q, S). From the inductive 
hypothesis, Sn-i = {r 6 Q | 3p in M that ends in r with p ~a p"\^}- 
Since (qn-i,Sn-i) (q, S) 6 S, by definition: 

S = {r' eQ\ TTair) = TTa{q) and 3s' e 5„_i with s' ^ r' e 6} 

From s' e Sn-i we have that exists p in M that ends in s' with p ~o Because 
s' r' € S, TTair') = TTaiq) and p' = p" ■ (q, S), we can conclude that there exists p' in 
M, p' = p-r' that ends in r' with p' ~a That is, 

5 = {r' e Q I 3p' in M that ends in r' with p' p'\^} 

For the second property we also use the induction on the length of paths p and p'. 
The basic case is similar as above, since p' can only be p. 

Suppose the property holds for any p and any p' of length n with p' ~a P and take p 
andp' e Runs{Aa{M)) of length n + 1, with p that ends in {s,S) andp' ~a P- Denote 
P = ((<?i, 'S'i))i<,<„ and p' = {{q[, S'i))^^.^^. Because p p', we have that p p' and 
then(g;„5;) = ("g;,5„). 
From (g„, 5'ra) ^ (s, 5) we have that 

S = {r" € Q 1 7ra(r") = 7ra(s) and 3s" € 5' with s" ^ r" € 5} 
and from (g^,S'„) ^ (r,i?), 

R = {r" 6 g 1 7r„(r") = 7r„(r) and 3s" 6 S" with s" r" € 5} 
Since p ~o p', we have that 7ra(s) = 7ra(r) and then S = R. That is, p' ends in (r, S). 

Given a MAS M = (Q, Ag,6,qo,n,(na)a<iAg,''T), and an agent a e Ag, we say 
that M is a-distinguished if defined on page 10 is a congruence relation, that is, 
an equivalence relation with the following property: 

foranyg,r€Q, if qrar,{q,q') € 6, {r,r') € 6 mdnaiq') = TTa{r'), then q' Tar'. (7) 



Lemma 2. For a MAS M = (Q, Ag, 6, qo, U, {na)asAg,Tr) and an agent a € Ag with 
Fa a congruence relation, we have that sFaV if and only if there exists p and p' e 
Runs(M) s.t. p ends in s and p' ends in r with p ~o p'. 

Proof. For the direct implication the proof follows form the definition of Fa. The proof 
in the other direction is made by induction on the length of the path p. 

We define 7^" with sF^r if and only if for any run p in M ending in s with \p\ - n, 
there exists a run p' ending in r with p ~a p'- 

We show by induction that Fn is a congruence. It is easy to see that for the base 
case, for any p, \p\ = 1, there exists p' = go ~a P since p = go- 
Suppose that it holds for n and prove for n + 1. Take p that ends in s, with \p\ = n+1 for 
which there exists p' ending in r s.t. p p'. That means that there exists p that ends in 
s' = p[\p\-l], with IpI = n for which there exists p' ending in r' = p'[\p'\-i] s.t. p ~a p'. 
From the inductive step, we have that s'F^r'. Since s' ^ s,r' r, Wais) = iTair) and 
Fa is a congruence, we can conclude that sFa^^r and then sFar. 

Lemma 3. Given a MAS M and an agent a e Ag, for any two reachable states (q, S) 
and (r, R) in AaiM), (q, S)Fair, R) if and only if S = R. 

Proof. We use Lemma 1 for the proof. 

In the direct sense, if (q, S) is reachable, we have that S = {s \ 3p' in M, p' ~a 
p|^}. From (q,S)Fa(r,R), we have that there exists pin M ending in (r,R) with 
p~aP and 

R={s'€Q\ 3p" in M, p" ~„ -p\\ = {/ 6 Q I 3p" in M, p" ~„ p\\ = S 

In the other direction, let take (g, S) and (r, S*) two reachable states in Z\o(M) then 
for all p that ends in (g, S) we have that 

5 = {s€0| Vin M,p' 

Since (r, S) is reachable, r e S. Then there exists p' in A-I, ending in r with p' ~o 
Then, by the second point of Lemma 1, there exists p' in Aa{M) with p' ~a p which 
ends the proof. 

Propositions. 1. For any MAS M, Aa(M) is an in-splitting of M. We denote this 
in-splitting as : Aa(M) M. Whenever the MAS M is clear from the 

context, we use the notation A~^ instead of A'^^^. 
2. For any agent Agwe have that Aa{M) is a-distinguished. 

Proof. For the first property, suppose Aa{M) is an in-splitting of M. We define the 
following mapping x • Aa{M) ->■ M for any q',r' e Q,q' = (g, <S'i) and r' = (r, 6*2) 
as: 

Xst(g') = Xstiq,Si) = q 



Xtriq' ->■ r') = q ^ r 



These two mappings satisfy the properties from Definition 2 since: 

Xtr{q r') = q ^ r = Xst{q') ^ Xstir') 
T^iXstiq')) = 7r(q) = Tr{q') by definition 3 

outdeg{xst{(l')) = outdeg{q) = outdeg{q') by definition 3 

Xstiq'o) = Xstiqo,qo) = qo 

The surjectivity follows from the definition and the assumption that we work only with 
MAS in which Q contains only reachable states. 

For the second property, we have to prove that Fa is a congruence relation over 
Aa(M). To prove the symmetry, take (q, S)ra(r, R) in Aa(M). From Lemma 3, we 
have that R = S. 

Let now, take any path p' in Aa{M) ending in (r, S). From Lemma 1 we have that 

S = {qeQl^pmM, ending in q, p ~a p'\^} 

Since {q, S) is reachable, q & S and then, there exists p in M, ending in q such that 
p ~a p'\^- That is, there exists pending in {q,S') s.t.p ~a p' And, using the second 
property of Lemma 1, we get that S' = S, i.e., 

there exists p ending in (g, S) s.t. p ~a p' 

Hence (r, S)ra{q, S) which means that Fa is synmietric. Reflexivity and transitivity 
hold trivially. 

For proving that Fa is a congruence, note first that, from the definition of Aa{M) 
if {q, S) -> {q', S') 6 S, (r, S) -> (r', S") e 6 and 7r(q') = 7r(r'), then S' = S" . 

Suppose now that (q, S')r„(r, 5), {q,S) ^ € ~5, (r,S) ^ (r',S") € 5 and 

Tr(q',S') = 7r(r',S"). Then, {q',S') and (r',S') are reachable, and using Lemma 3 we 
may conclude that {q' , S')Fa{r' ,S') which ends on Fa is a congruence relation and 
Aa{M) is a-distinguished. 

Proposition 4. For any MAS M and two agents a,b 6 Ag with ilo £ ilb, «/ M is 
b-distinguished, then Aa{M) is b-distinguished too. 

Proof. For Aa{M) to be fe-distinguished, p^'^^^'> has to be a congruence relation. To 

prove the symmetry of Xdk& {s,S)F^°-^^\r,R). Since 77a ^ -^fa, we have 

that (s, S)Fa{r, R) and then, from Lemma 3, S = R. 

We then also have that for all p e Aa{M) ending in {s,S), there exists p' ending in 
(r, S'),p ~6 p'. That is, 

3p in M ending in s for which 3p' ending in r, p ~b p' 

Since M is 6-distinguished, -T^^ must be a congruence relation, and using Lenuna 2 we 
have that sF^r. 

Since r'^^ is congruence, we have that rF^s. That is, 

Vp' ending in r, 3p ending in s s.t. p ~6 p' 



Let p' ending in (r, S*). By lemma 1, we have that 6' = {g € Q | 3p in M s.t. p ~a P'\^- 
Also, (s,.?) is reachable, hence, s e 5, i.e., there exists pin M s.t. p ~{, p'|^. Therefore, 
there must exist p in Z\a(M) ending in {s,S') s.t. p ~;, p'. Then, from the second 
property of Lemma 1, we have that p ends in (s, S), and (r, S)rb{s, S). That is, T;, is 
symmetric. 

Next, for proving that /^^'^°(^) ^ congruence, suppose that (r, S')il,(.s, 5), r ^ 
r' e S, s ^ s' 6 S and 7rb(s') = 7r6(r'). From (r, S)rb{s, S) and the fact that 
is a congruence relation, applying Lemma 2 we have that rT^s and then rT^s'. In 
a similar way we write the proof for the symmetry, we prove that {r' , S')ri,{s' , S'), 
where S' = {q' e Q \ Waiq') = 7ra(r') and 3q € S,q ^ q' € 6}. 

The close relationship between the relation Fa and the epistemic operators is re- 
sumed by the following proposition: 

Proposition 5. For any MAS M, the following diagram commutes ijfM is a-distinguished: 

*M,, J^M~^ (8) 

2Supp(tM) , 25"PP(*") 

The same holds if the pair KajK^ is replaced with Pa/Pa- 

Proof. Suppose first that the diagram holds and prove that Fa is a congruence. 

For reflexivity the proof is straightforward and the transitivity results from the tran- 
sitivity of ~a. 

Toprovethe symmetry, takegr'ar.Fromgr'arwe have thatt^({r}) £ Pa(tMi{Q}))- 

By the diagram commutativityforPo/P/, we have thatPa(t]^({(j'})) = t]}{Pl {{q})) 
and then t]}({r}) £ t]}(Pi({q})). Applying tM, we obtain r e P/(g). That is rP^g. 
Now, if the diagram commutes for the pair recall first that for aU 5 £ 2^"pp(*"\ P„(6') = 

KajS) and P/(g) = kI(S),^ S c 2^. 

Thereby wehavePa(<^(5)) = K^it^) = Ka{t-j^(S)) = = t]^{Kl(S)) = 

tf}{P^{S)). That is, the diagram commutes for Pal Pi too and we can proceed as 
above for proving symmetry. 

If now the diagram cormnutes, for proving that Fa is a congruence, take qFar and 
q^ q' &5 and r r' e 5 and i^aiq') = 7ra(r'). 

From qFar we have that r e P/(g) and then i^K^) E tMiPlM) = Paitljiq))- We 
get that there exists x € supp(tM),a;[|x|] = r and x € Po(iM(9)) ™d therefore there 
exists y 6 supp(tM) with x ~a y and = q. 

Because x ~a y, x[\x\] = r ^ r' and ?y[|j/|] = q ^ q' with TTa{q') = TTa{r') we obtain 
that for x' = xr' and y' = yg' with x' y' x' € Pa(tM(g')) = ^m(^/(9'))- That is, 
(q'y)^ra. 

For the inverse implication, suppose that Fa is a congruence. 

First, we observe thatt^(P/(S')) £ P„(t^ (5)) holds from the fact that t^(Pa(5')) £ 



Recall that we defined qF'^r as: (g, r) € iff Vp, \p\ < n ending in q, 3p' ending 
in r such that p~a p' ■ 

We also define P/'^C^) = e S | 3.s e S*, (s, q) e F^}. 
We now prove 

by induction that Pa(iM(r-)-") £iM(^/'"(0) for all n 6 N and for 

all r 6 Q. 

For n = the inequality trivially holds. Suppose that for n the equation holds for all 
q € Q. Let x e supp{tM), \x\= n + 1, in Pa{t~^(r)-"''^^). We want to prove that it is in 
t-^iPl'^'ir)) too. 

Since x e -Po(tM(7')-"'^^), then there exists y e supp(tM) with x ~a y and y[|y|] = 
r, lyl < n + 1. 

Let X = x'i. Then x' e Pa(iM(y[|yl ~ (from the inductive hypothesis and the 

fact that t^({r})ci^(p/({g}))). 

From the inductive hypothesis, we obtain that x' e t]^^(Pl'"{y[\y\ - 1])) and then 
{y[\y\-l],x'[\x'\])^r^- 

But, because x ~a y, we have that a;'[|x'|] x[\x\] e 6 and - 1] ^ y[\y\] ^ ^ ™d 
TTa{x[\x\]) = 7ra{y[\y\]). Then, y[|y|]Pax[|x|]. This means that a; 6 tM(^/'"^'(^))- 
It results that, for all n e N and for all r e Q, PaC^MC^)"") ^ ^mC^/'^C^)) and then 
-Pa(iM(S')) £ r^iPiiS)), for all 5 which ends the proof of the reverse inclusion. 
From that and from the first inclusion, we can say that Pa(t~j^^{S)) = t~j^{Pl {S)), MS. 

Definition 4. We say that the pair ofepistemic operators K^jKl, resp. Pal Pi, com- 
mutes for M if the diagram 8 is commutative for the respective pair 

Proposition 5 gives the first restricted form which may lead to the commutativity of 
Diagram 2 for formulas of the /i-calculus of knowledge. The second restricted form in 
which the pair Ka/K^ (resp. PajPl) commutes with a system is stated as point 2 in 
the next proposition: 

Proposition 6. Consider two MASs Mi = {Qi,Ag,5i,ql^,n,{na)aiAg-,i^i) (i = l,2j, 
with Qi = {1, . . . , ni} and (^2 = {1, • • • , n2}, related by an in-splitting x = {Xat,Xtr) '■ 
Ml M2, and define the tree mapping x '■ supp(tMi) -* supp{tM2), where x{e) = e 
and x{xi) = x{x) ■ Xst{i), for any x 6 supp(fMi) and i e Qi. Then the following 
properties hold: 

L xis a tree isomorphism between Imi and and ° X = X° ^Mi- 
2. For any closed formula 4> of the ^-calculus of knowledge for which the diagram 2 
commutes in the system M2, the following property holds: 

uw^t-^.ixsimM^)) 

Proof. The first property is implied by the bijectivity of x the fact that x is an 
in- splitting and the property 3 of Definition 2. 

For the second property, we may easily prove that 

tM2{.X{x))=Xst{tM^{x)) (9) 

Let x' 6 supp(tMi)- Then, by definition of x, x' = xi for some x e supp(tMi) and 

i e Qi. 

tM2ixix')) = tM^ixixi)) = tM2(xix) ■ Xstii)) = Xst(i) (10) 



On the other hand, we have that 



Xst(<Mi(x')) = Xst(iAfi(-«)) = Xst{i) (11) 

From the last two equations, we can see that Identity 9 holds for any x € supp(iMi )• 
We may observe that x(iMi(a;)) = x(a;[|a;|]) = xi^^) ■ Xst{x[\x\]) = Xst{x[\x\]). 
And from the Identity 9, we have that x(tMi{x)) = ^AfaCxC^^))) for all a; 6 supp(tMi)- 
As a premise of the third property, we may observe that: 

^Mi ° Xjt = X"^ ° 

From this, combined with the hypothesis on the commutativity of diagram 2 for (f) in 
M2, the isomorphism property for x in Proposition 1, and Identity 9, we get: 

11011m, = r'(ii'^llM.) = r'(iM.(mM.)) = ti(x;t([<^lM.)) 

Remark 5 The previous proposition tells us that, for closed formulas of the fi-calculus 
of knowledge for which Diagram 2 commutes in M2, in the eventuality that the system 

M2 needs to be replaced with a "larger" system Mi (for reasons related with the "de- 
terminization" that ensures the first type of commutativity of Ka/Pa), the validity ofcj) 
on the tree can be recovered from the set of states Xst ([01m2 ). through the inverse 
tree mapping f^^. 

We have now the essential ingredients that ensure the decidabiUty of the model- 
checking problem for the /i-calculus of non-mixing epistemic fixpoints. The algorithm 
runs as follows: we proceed by constructing the state-transformer interpretations of the 
subformulas of 4> on the given system M, in a bottom-up traversal of the syntactic 
tree T^. As long as we only treat subformulas not containing any epistemic operator. 
Theorem 2 ensures that these state transformers are correct finitary abstractions of the 
tree semantics of our subformulas. 

The first time we encounter in an epistemic operator Kaj Pa, say, the subformula 
in the current node is Ka4>', we need to replace M with its a-distinction, Aa{M), in 
order for the appropriate diagram to commute. This replacement is easier when ^' is a 
closed plain /x-calculus formula. By combining Propositions 6 and 5, the tree semantics 
of the formula Ka4>' can be computed using the state transformer K[(^A~^(^\(j)']M)) in 
Aa(M), where A~^[\(I)']m) represents the set of states in Aa(M) on which (j)' holds. 

The procedure is different when is non-closed. In this situation, we cannot de- 
terminize M, as observed in the remark 4. Therefore we need to descend along the 
syntactic tree to all the "nearest" nodes whose formulas are closed, and only there ap- 
ply the a-distinction construction, thanks to Proposition 6. 

Suppose even further that 0' itself contains other knowledge operators, and some 
other knowledge operator Kf, is encountered during this descent. The "nonmixing" as- 
sumption on our formula implies that this other agent b has compatible observability 
with our a (Ka and Kb are non-closed at the node associated with Ka). Therefore, the 
a-distinction of the models appUed at lower levels connmutes with Kb, fact which is 
ensured by Proposition 5 when the two agents have compatible observability. 

This whole process ends when we arrive in the root of the syntactic tree, with an in- 
splitting M' of the initial system M and a (constant) state-transformer a, which gives 



the finitary abstraction of the set of nodes of the tree Im where (j) holds. The following 
paragraphs formalize this process. 

Proof (Proof of Theorem 3). Given a formula ^ in the /^-calculus of non-mixing epis- 
temic fixpoints and a MAS M, we associate with each node a; of an in-spUtting 
mapping, denoted T^"*(x), such that the following properties hold: 

1. Fortherooteandanynotclosednodea;insupp(r^), T^"*(e) = ic^M and T^"* (a;) = 
idM', with M and M' appropriate MASs. 

2. Forany € supp(T^),7; e {1,2}, co(iom(r^""(x)) = dom{Tl'''{xi)), 

3. For any nodes Xi,X2 € supp(T^) with xi < X2, the in-splitting mapping between 
the two nodes is the composition of the mappings from xi to X2. Formally, 

{XI...X2)= (xi)o...or^ (X2) 

Then, for any Xi,X2 leaves in T^, T^"*(e...xi) = T^"*(e...X2), where e is the root. 

4. For any node x\ which is a nearest closed successor of the root e, if AgNCl^(e) = 
{ai, . . . , ttfe} and £ ... £ Ua^, then T^"*(a;i) has the form: 

«(a;i) = A-]....o A-] o x, for some x, 

Next, assuming that T^"^ is constructed with all the properties above, we denote 

In^CT^"") = r^""(e....x) with x any leave in T^. 

The construction of T"^"'^ proceeds by structural induction on (t>. Whenever we want 
to emphasize a property of the root of the syntactic tree T^, we denote it e'^. 

For tiie base case we put T/"''(e) = T^'^^e) = idM, for any p e iT. For (j) = Z, 
Z <i Z, note that, by construction, the root of Tz has a leaf successor which is the only 
child node. Then, T|""(e) = T|""(1) =idM. 

For the induction case, take a formula ^ = Op.4>' where Op 6 {A.X^ EX, fiZ, vZ}, 
and assume r^,"*(x) is defined. Then we put T^"'*(lx) = r^"*(a;) for any node x of 

supp(T0O' and T^""(e'^) = i^m', where M' = dom(r^,"'*(e'^')). 

Suppose <j) = Ka(f>' OT <j) = Pacj)' ■ Notc that for each node Ix which is not closed in 
T0, the node x is not closed in T^' either. Then we put r^"'*(lx) = r^"*(x) = z^m', 
with M' the appropriate MAS. We also put T|"''(e*) = /^Mo for the appropriate Mq. 
Furthermore, for each closed node Ixi e supp(r0) which nof a nearest closed successor 
of e"^, we put T^"''(la;i) = T^r (a;i). 

Take further a node Ixi which is a nearest closed successor of the root e** and 
AgNCL{e'^) = {ai, ak}. By the above property 4 from the induction hypothesis, 
the in-splitting mapping in xi is of the form T^V^{x\) = o . . . o o ^ with 
c . . . c jJa,. ■ On the other hand, by the assumption that ^ is a nonmixing formula, 
a must have compatible observability with all the agents ai, . . . , a^. Therefore, there 
must exist some i < k such that Ilai £ ... £ ila^ Q Ila ^ ^oi+i £ • • • £ na^. . We then 
define 

T^'^-Vlrj;, ) = Zi-l o . . . o Zi^l o Zi-l o Z\-l o . . . o o Y 

Note that the domain and the codomain of each A~^, (j < i) are different in T^"* from 
those in Tf"*, due to the insertion of A~^. 



According to the above constractions for cf) = Kacj)' of </> = Pa(l)', all the four prop- 
erties are satisfied by T^"", the fourth one resulting from the construction of the in- 
splitting mapping for the nearest closed successors of the root. 

Finally, take </> = </>iOp h (Op e {a, v}). If T^^-' = T^^^ put T^^"^(ln) = T^\"^(x) 
for all nodes x 6 supp(T^i ), T^""' (2n) =T^^' (x) for all n 6 supp(T^ J and T^"'(e) = 
Mm- 

Suppose now T^^"' * r^^"^ Consider AgNCl(l) = {ai, . . . , a^} and AgNCl(2) = 
{bi,... ,bi} with Ilai £ ... £ ilafc and J7{,j £ . . . c iT;,^ . Take then a node xi which is a 
nearest closed successor of the root of T^^ , e'^'^ , and a node X2 which is a nearest closed 
successor of e"^^. By the induction hypothesis we have: 

«(xi) = . . . o A-l o XI /n5(r^^-) = ^(xi) o 

= /i,^ . . . o Z\,i o X2 /n5(r4"^) = Tl^^ix,) o 

with appropriate in-splittings Xi > x'l , X2 , X2 • 

On the other hand, by the assumption on (f) being nonmixing, for any i < k,j < I, 
the two agents and bj must have compatible observability. It therefore follows that 
there exists a reordering of the union {ai, . . . , a^} u {bi, . . . , 6;} as {ci, . . . , Cm} such 
that Ilci E ^ci+i for all i < m - 1. Denote then: 

Xo = ° ■ . ■ ° /i^l 

By Proposition 4, xo is a c-distinction for any c € {ai, . . . , afe} u {61, . . . , 6;}. Also, 
by property 2 of the induction hypothesis, xo is independent of the choice of the nodes 

Xi,X2. 

The same property from the induction hypothesis also ensures that, for any nearest 
closed successor X2 of e'^^, there exist in-sphttings X2^'^^ ) xt^'^^ such that: 

Tl^\x2) = Allo...o All ° Xf"^^ InS{Tl^^^) = T^^^ix^) o xt''^^ (12) 

We will then construct T^"*(-) as follows: 

1. For each closed node x which is a leaf in T^^ but not a nearest closed successor of 

we put r^^"«(la;) = T^^^x) o X2 ° X2- 

2. For each non-leaf, closed node x in T^^ which is not a nearest closed successor of 
e"^i we copy r^""(lx) = 

3. For each nearest closed successor x of e'^^ which is not a leaf in T^^ we put 
rf'(la^)=Xo°Xi. 

4. For each closed node x which is a leaf in T^^ and a nearest closed successor of e"^^ , 
we put T^"'*(la;) = Xo ° Xi ° x'l ° X2 ° X2- 

5. For each closed node x which is not a close successor of e^^ we copy T^"*(2a;) = 

6. For each closed node X which is a nearest closed successor of e*^^ weputT^"''(2a;) = 

Xo ° Xi ° Xi ° X2^'^» where xf^'^ is the in-splitting mapping associated to node x 
as in Identity 12 above. 

7. For the root e and the non- closed nodes x of T^, r^""(e) = Idn' and r^""(a;) = 
/rfM", with M' and M" appropriate MASs. 



It's not difficult to see that the resulting mapping satisfies the five desired 

properties. More specifically, property 2 amounts to the following identity: 

7n5(T^^"^)=Xo°Xi°x'i°X2°X2 

Further, let denote the MAS which is the domain of the in-splitting T^"''^{x), 
and denote Qx its state-space. Also, for convenience, we denote the MAS which 
represents the codomain of T^"*(a;), and its state-space. Note that when x,xl e 
supp(T^), Mx = Mxi, and similarly Af ,. = Mx2 when x2 e supp(r0). 

Once we built the tree T^"*, we associate with each node x in a state-transformer 
that will give aU the information on the satisfiability of forrn{x) in the given model. 
Formally, we build a tree T|*'' whose domain is supp(r0) \ {x \ T^{x) = i} and 
which, for each node x, represents a state-transformer T^*-^{x) : (2'^^')^ ->■ 2'^'^. The 
construction will be achieved such that 

\\form{x)\\o{t-^J = t-^^oT;'^ix) (13) 

for each node x with forin{x) + i. 

The construction proceeds bottom-up on supp(T0). We actually build two trees, 

T|*'- and Tf, such that TfCx) : (2^0" - 2«« andr|*'-(x) = (x)o[(Tf ^(x))"']", 
that is, 

Tf^{x){Su...,Sn)-Tf{x){{Tl-\x))-\s,,...,Sn)) (14) 

Note that, once we build T^^^(x) for a node x, T^'^{x) is defined by Identity 14, so we 

only explain the construction for T^^^(x). 

For X leave in with T^{x) = p e U, we put T^* '^(.x) = \p]m, the constant state- 
transformer. Recall that we do not define Tf''{x) for T^{x) = i. For T^{x) = Zi & Z 

we put T^*'^(x)(S'i, . . . , Sn) = Si, the i-th projection on (2'^- )". 

For nodes x with T^{x) = Op e {AX, EX, Ka, -Pa I a e Ag} we put 

r^\x)iSu. ..,Sn) = Op{T;'^ixl)iSi, Sn)) 

ForT^x) e {a, v} weputT;*"(a;)(5i, . . . , 5„) = (T^^*'-(x1)(5i, . . . ,5„))Op(Tf '^(x2)(5i, 
For T^{x) = fiZi with 1 < i < n we put (x) = Ifp^^rpstTf^^^^y and, similarly, for 

T^{x) = lyZi we define T^^^'ix) = gfp[-ret.(^i)^. 

The validity of the Identity 13 is a corollary of Propositions 5 and 6. 

The final step consists of checking whether Qq e T^*'"(e), where Qq is the initial state 
in the MAS associated with the root of T^. 

The following result follows from a similar result for LTLK from [22]. A self- 
contained proof can be found in [?]: 

Theorem 6. The model checking problem for the ji-calculus of non-mixing epistemic 
fixpoints is hard for non-elementary time. 



6 Conclusions and comments 



We have presented a fragment of the /i-calculus of knowledge having a decidable 
model- checking problem. We argued in the introduction that the decidability result does 
not seem to be achievable using tree automata or multi-player games. Two-player games 
with one player having incomplete information and with non-observable winning con- 
ditions from [6] do not seem to be appropriate for the whole calculus as they are only 
equivalent with a restricted type of combinations of knowledge operators and fixpoints, 
as shown on page 9. We conjecture that the formula I'Zi^p v AX.PnZ^ is not equivalent 
with any (tree automaton presentation of a) two-player game with path winning condi- 
tions. Translating this formula to a generalized tree automaton seems to require spec- 
ifying a winning condition on concatenations of finite paths in the tree with "jumps" 
between two identically-observable positions in the tree. This conjecture extends the 
non-expressivity results from [4] relating ATL and /i - ATL. 

The second reason for which the above-mentioned generalization would not work 
comes from results in [9] showing that the satisfiability problem for CTL or LTL is un- 
decidable with the concrete observability relation presented here. It is then expectable 
that if a class of generalized tree automata is equivalent with the /x-calculus of non- 
mixing epistemic fixpoints, then that class would have an undecidable emptiness prob- 
lem and only its"testing problem" would be decidable. Therefore, the classical deter- 
minacy argument for two-player games would not be translatable to such a class of 
automata. 
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